We are planning a roll-out of RSAM within our IT risk environment and have subsequently been enrolled as part of the project team for this exercise. I have a list of questions surrounding the roll-out and initiation and would surely appreciate your comments with regards to the RSAM system and what also find out what your opinions are surrounding this. Perhaps the following questions and answers would help the thought process to get started on this..
Remediation Management / Track & Trace
- ability to track audit observations. CIxLS, RCA's, IBAM tracking on RSAM
- ability to link CIxLS to open audit observations, IBAMS, etc
- Link incidents to control failure/ineffective controls
SOX Control Management
- Capturing of attestations
- Ability to interface with Opus
- avoiding duplication of manual processes
Compliance
- can additional SOX Control details be added and/or new controls be loaded onto the tool?
- are there processes/procedures to support the usage of RSAM?
Document Storage
- can you upload documents?
- what are the capacity constraints (i.e. would a central repository for audit reports, milestone converstions etc. be available)?
Project Risk Management
- record and track project risks (strategic projects)
Workflows
- is there a workflow and approval mechanism?
- can the system send automated reminders / notifications?
Interface with other systems
- Synergy
- Opus
Training
- application and process training
- where to find training material or is it available?
System access
- who can access for assessments?
- what are the access/licensing limitations?
- are there any constraints (bandwith, network access) which could delay the roll-out of RSAM?
Reporting
- what kind of reporting would we be able to run from RSAM?
- Executive dashboards per business unit
- Application and Service views
- Weekly/monthly/quarterly reports?
Any help/comments would be appreciated.
Thanks
Regards
Elmari
Replies